CVE-2026-3455 — MEDIUM (6.1)

Q: How severe is CVE-2026-3455?

CVE-2026-3455 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-3455?

Check the references section above for vendor advisories and patch information. Affected products include: Nodemailer Mailparser.

Vulnerability Description

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Nodemailer	Mailparser	< 3.9.3

Related Weaknesses (CWE)

CWE-79

References

https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585aExploitThird Party Advisory
https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4Patch
https://github.com/nodemailer/mailparser/issues/412Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032Third Party Advisory

FAQ

What is CVE-2026-3455?

CVE-2026-3455 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker ca...

How severe is CVE-2026-3455?

CVE-2026-3455 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-3455?

Check the references section above for vendor advisories and patch information. Affected products include: Nodemailer Mailparser.